Tag Archives: 11.5.2

Watchguard XTM 2 Series, XTM 3 Series, XTM 5 Series, XTM 8 Series – Fireware XTM OS 11.5.2 – CSP2 Build # 339057

Watchguard XTM 2 Series, XTM 3 Series, XTM 5 Series, XTM 8 Series – Fireware XTM OS 11.5.2 – CSP2 Build # 339057

11.5.2 – CSP2 Build # 339057 Resolves the following issues:

BUG66110: TCP Conntrack Lifetime ~2 minutes in Active/Active cluster

BUG66008: A/P cluster crashes on fail back

Improved proxy throughput on XTM 1050 and XTM 8 series by increasing the total_queue_threshold and tcp_drop_threshold values to prevent congestion.  new values are:  50M -> 100M for XTM8 and 125M -> 250M for XTM1050

RFE61394: Wireless HotSpot redirect acceptance page to use HTTP

You can request 11.5.2 – CSP2 Build # 339057 from Watchguard Support by logging a support case online, they should then be able to provide an ftp download link and appropriate credentials.

Please note that Watchguard CSP releases are cumulative so you should only need to apply the latest to ensure that you also have any previous fixes.

Watchguard XTM 2 Series, XTM 3 Series, XTM 5 Series, XTM 8 Series – Fireware XTM OS 11.5.2 Build # 337008

Watchguard XTM 2 Series, XTM 3 Series, XTM 5 Series, XTM 8 Series – Fireware XTM OS 11.5.2 Build # 337008 has been release and can be downloaded via the Watchguard website http://www.watchguard.com/

This major XTM OS Release introduces the following changes/improvements:

Significant enhancements introduced in this release include:

  • Application Control now offers a deny message to users whose HTTP requests are blocked
  • New Advanced Search for log messages added to Log and Report Manager
  • Mobile VPN with SSL now supports multiple authentication servers and Active Directory authentication domains
  • Management Server device configuration template improvements
    • Ability to create a device configuration template from an existing configuration file
    • Inclusion of hosted WebBlocker Server settings in template for XTM 2 Series and XTM 33 devices
    • Policy order in a template is preserved when you apply the template to an XTM device
  • Support for FireCluster for XTM 330 appliances

Minor enhancements include:

  • The ability to select the port used to send email notifications from the Log Server
  • An updated list of trusted Certificate Authorities for proxies
  • Diagnostic log messages for the Terminal Services Agent and TO Set Tool
  • SMTP-proxy TLS encryption rules now limited to a maximum of 200 bytes

The following bugs/issues have also been resolved in this release


  • After you reboot your XTM device, you no longer see the warning “Cannot create directory `/etc/wg/tmp’”. [62883]
  • A problem that caused some XTM 8 Series devices to reboot because of a kernel crash has been resolved in this release. [64465]
  • ICMP redirects are now handled correctly after you upgrade from Fireware XTM v11.4.2 to v11.5.2. [64589]
  • Several problems that resulted in device configuration changes requiring a reboot to take effect have been resolved in this release. [64201, 64763]
  • A memory leak in the SNMP daemon has been corrected. [63860]
  • This release resolves problems that occurred during an upgrade from Fireware XTM OS v11.3.x. [64815]


  • When you configure policy-based Dynamic NAT with the Source IP option, you no longer need to add the Source IP address as a secondary address on the external network. [64292]
  • A default route is now correctly added when you enable Eth0 as an external interface. [63588]
  • This release resolves a problem with server connection stability when you use an SNAT load balancing action in your configuration. [64280]
  • It is no longer necessary to reboot your XTM device after you change the wireless guest network. [64415]
  • Dynamic NAT now supports nested aliases. [58991]
  • Dynamic NAT now works correctly when configured with an IP address range. [45005]
  • Branch office VPN tunnels can now successfully be created to use 1-to-1 NAT configured with an IP address range. [65105, 64480]
  • The multi-WAN Link Monitor now works correctly. [62535, 64817, 61487]
  • Multi-WAN now works correctly when configured in Routing Table mode, with the Link Monitor configured to use both ping and TCP using domain name. [61564]
  • XTM 2 Series Gigabit interfaces are now correctly labeled in the Firebox System Manager Status Report. [60621]
  • QoS marking now works correctly in proxy policies. [63518]
  • Multicast traffic can now pass through a branch office VPN on an XTM device configured in drop-in mode. [62234]


  • The default proxy trusted CA list has been updated to match the ones in most major popular browsers. [64438]
  • A problem that caused some HTTP downloads to stall when you use the HTTP proxy with IPS enabled has been resolved. [63136]
  • This release includes improvements to the clean-up of stale proxied connections that could prevent new connections from being allowed. [63574, 64519]


  • A problem that caused the master XTM 8 Series device in a FireCluster to reboot because of a kernel crash has been resolved. [63683]
  • High UDP traffic levels through a branch office VPN tunnel that terminates to a FireCluster no longer cause the FireCluster to reboot. [64251]
  • The FireCluster synchronization timeout has been increased to prevent synchronization failures. [63231]
  • A problem with the maintenance of the static ARP list for an active/active FireCluster has been resolved to improve FireCluster stability. [64440]
  • This release includes improved proxy debug log messages for FireCluster users. [63793]
  • A problem that caused a FireCluster to crash and reboot has been resolved. [64669]
  • A problem has been resolved that sometimes caused the FireCluster master to reboot when you used the CLI to remove a member. [64518]
  • The Status Report cluster load balancing algorithm label has been corrected from “Lease Connections” to “Least-connections”. [64684]
  • A problem that caused DHCP leases to fail to synchronized with the backup member has been fixed. [64148]
  • The backup member no longer crashes when the FireCluster is under heavy proxy traffic load and a manual failover is initiated. [64226]
  • A problem that caused some active/active FireClusters to fail when configured with branch office VPN has been resolved. [64909]
  • In a FireCluster environment, log messages are now consistently and correctly sent to the Log Server.  [64983]

Mobile VPN with SSL

  • The Mobile VPN with SSL Mac client now correctly removes the previously assigned DNS server addresses after it is disconnected. [64418]

Mobile VPN with IPSec

  • A problem that resulted in a stack trace with the error message “Iked stack trcace eip=0x080c4013” has been resolved. [65026]

Branch Office VPN

  • Packets with a total data size value between 1507 and 1538 now correctly pass through a branch office VPN tunnel. [63764]
  • You can now correctly configure 1-to-1 NAT with an IP range for a branch office VPN tunnel. [65105]


  • A problem that caused the SSO Event Log Monitor to crash has been fixed. [64824]

WSM & Management Server

  • The  Apache httpd server bundled with WSM has been upgraded to version 2.2.21. [58220, 64556]
  • IPS  is now correctly shown as enabled/disabled within an XTM template. [64124]
  • The “Add Device” wizard now correctly detects and configures the gateway device with the private IP address of the Management Server. [64498]

Policy Manager

  • The backup archive password is no longer recorded in the log file. [64088]
  • Attempts to save configuration changes for new features to an XTM device running Fireware XTM v11.4 are now detected and handled correctly. [64609]

Web UI

  • The WatchGuard Authentication policy is no longer deleted when you disable Mobile VPN with SSL from the Web UI or CLI. [65234]
  • Gateway AV can now be enabled in an SMTP proxy action from the Subscription Services > Gateway AV > Configure page. [62464]

Security Services

  • A problem that caused Gateway AV to fail when performing archive file scanning has been resolved. [64898, 65114]

Logging & Reporting

  • The log level setting now works correctly for DHCP log messages.    [57096]
  • Corrupt Log or Report Server database tables no longer cause an upgrade to the new v11.5.x database schema to abort. [64726]
  • This release corrects multiple issues with restoring log files from backup archives. [64141, 65173]
  • You can now export log search results from the Log and Report Manager. [63198, 42489, 62608]
  • The Log and Report Manager Logs > Devices list now includes the serial number for each device. [63786]
  • WatchGuard Server Center no longer resets the  start time to a previous value when a report schedule is edited. [64980]
  • Users with permission to view only reports can now see all the reports they have access to. [65127]
  • The Alarms Summary report is now available in the Log and Report Manager Dashboard and Devices sections. [64420]
  • The default pivot (Users or Hosts) can now be set for the graphs available on the Log and Report Manager Dashboard tab. [65098]
  • Percentage and Total count statistics have been added to a number of summary reports in Report Manager. [62981, 63019]